Document/Data Retention Policy

27 August 2004

Enron. Document shredding. File deletion. Arthur Andersen.

It's one of those old law school clichés: "Law is common sense as modified by the courts and legislature." Now, let's take this idea and apply the smell test to Arthur Andersen's past actions. In case you were in Antarctica over the last few years (do they have CNN International in Antarctica?), the Big Five accounting firm Arthur Andersen destroyed many documents relating to their audit of oil industry giant Enron. Of course, they did this as Enron was about to collapse.

It should not be a novel concept that hitting the delete button doesn't mean that you have destroyed your document.

Now, my nose is perking up. It stinks in here. Of course, we believe that the destruction of these documents was the innocent act of a completely innocent auditor. The stench is getting worse.

Applying the smell test and common sense, you know that you can't audit a multi-zillion dollar company and then destroy the documents underlying your audit just before the bottom drops out. I'm sorry, but that doesn't take three years of law school.

What were they thinking? The only thing that would seem to make sense is that they thought no matter how bad the flak from destroying the documents, it would be worse if anybody saw the documents. But we are no longer at the dawn of the computer age. It should not be a novel concept that hitting the delete button doesn't mean that you have destroyed your document.

Legally Destroying Data

The law does permit you to destroy data, whether digital or paper. If you apply the common sense and smell tests, you realize that the law has to allow this. The alternative is endless warehouses and data storage centers filled with things that are of no use to anyone. Of course, this begs the question – when can you destroy data?

The simple answer is you can destroy data as long as you have no reason to believe that litigation or a government investigation is imminent. It's that smell test again. If you can smell the litigation coming, your data destruction will develop its own stench.

What your company needs to do is develop a document retention policy. With so much data living on computers, the issues relating to data retention has moved from the realm of the general corporate lawyer into the world of the tech lawyer. A good Policy has to not only take into account paper documents, but even more importantly, digital data.

Even the commonly used term "document retention policy" is as dated as the term "cc" to mean "carbon copy." In both cases, the terminology has been slow to change, but I would suggest that you should really call your policy a "data retention policy," since the paper version of the data is just one form of your data and in many ways the easiest to destroy.

Enron and Arthur Andersen notwithstanding, there is nothing necessarily nefarious in having a data retention policy. It serves at least three legitimate goals. It saves valuable computer and physical storage space. It reduces the volume of your stored documents making it easier to find something when you need it. Finally, if there is no legal obligation to keep data, it reduces the likelihood that somebody on a subpoena fishing expedition will dig up something to exploit in future litigation. All three goals are legal and proper.

To keep yourself on the correct side of the law, the first step in creating a policy is to consider any specific laws that may require you to keep certain types of documents for a specific time. If you're in a regulated industry, like banking or health care, you need to consider specific laws aimed at your industry. You also need to consider things like tax laws in case the IRS wants to audit your tax returns.

After reviewing these preliminary considerations, you have to consider all the different types of data you have and all its different forms. A data retention policy is an essential document for every business, but creating it is never easy. There's always an overlay of business needs, accounting needs and legal issues.

While it's not a fun task that immediately translates to your company's bottom line, you need to attend to putting together an effective and legal data retention policy. When you're done, if it passes the smell test and you follow your policy, you won't find yourself in anybody's crosshairs if a document doesn't exist, provided that you legally and properly destroyed it based upon your long-standing Data Retention Policy.

Mark Grossman's "TechLaw" column appears in numerous publications. Mark Grossman has extensive experience as a speaker as well. If you would like him to speak before your group or corporate meeting, please call (305) 443-8180 for information.

You can find a TechLaw archive at:

If you have any comments, please send them to

Disclaimer: The advice given in the TechLaw column should not be considered legal advice. This newsletter only provides general educational information. You must never rely upon the advice given here. Your individual situation may not fit the generalizations discussed. Only your attorney can evaluate your individual situation and give you advice.

Except as provided below, you may feel free to forward, distribute and copy the TechLaw column if you distribute and copy it without any changes and you include all headers and other identifying information. You may not copy it to a Web site.